Optimising the Christiana Mavroyiakoumou

Introduction The basic Quadratic Sieve algorithm Sieving step

The quadratic sieve is an fac- The idea is that for x, y with x 6≡ ±y (mod n) such that A variation of the Sieve of Eratosthenes instead of torisation algorithm created in 1981 2 2 x ≡ y (mod n), a non-trivial factor of n can be ob- trial division is used to make the sieving step faster. by Carl Pomerance. It is the second choice of B initialisation 2 tained via gcd(x ± y, n). This gcd is found by Euclid’s Divide x (mod n) by each of the primes in the fac- fastest algorithm known to date and algorithm and the probability of the corresponding fac- tor base and its powers. All the B-smooth numbers can be used to factorise numbers up 1 tor being non-trivial is at least 2 . will be reduced to 1. to around 120 digits. Its runtime is And again this can be improved further using loga- sub-exponential. 1. Choose B. rithms which handle smaller numbers. sieving 2. Form the factor base consisting of primes p ≤ B Some Useful Definitions for which the Legendre symbol equals to 1. Symmetric Sieving A quadratic residue (mod n) is a number a such that √ 3. Start with x = d ne. Make an array of x2 mod √ A symmetric sieve stays in a closer distance to d ne x2 ≡ a (mod n) linear n, (x + 1)2 mod n, (x + 2)2 mod n, . . . and sieve trivial until the matrix is full. A sieve just above or just be- algebra for B-smooth numbers. Do this until a of at √ factor low needs to go further away from d ne to find the has a solution for a, n ∈ N coprime. least d + 1 smooth numbers is formed (to ensure a1 a2 ak last B-smooth numbers. If the prime decomposition of n is p1 p2 . . . pk , linear dependency), where d is the dimension of This is not good because numbers get harder to fac- then the exponent vector, v, is the vector the factor base. tor and B-smooth numbers get rare. (a1, a2, . . . , ak). For an odd prime p, the Legendre Symbol is defined factorisation 4. Form a matrix with its columns being the expo- as nent vectors of each B-smooth number mod 2. Using Logarithms  1 n (mod p) 5. Compute the kernel mod 2 with Gauss’s method. n  if is a quadratic residue The most time-consuming step is sieving, since it = −1 if n is a non-residue (mod p) A kernel vector combines the congruences in can be required to check a very large of numbers p  non-trivial 0 if n ≡ 0 (mod p) such a way as to give even exponents, thus a so- to see if they are B-smooth. Using approximations of factor x2 ≡ y2 n lution of (mod ). the logarithms of each prime being sieved, makes An integer n is B-smooth if all its prime factors are the sieving step more efficient. less than or equal to B. The quadratic sieve searches 6. Calculate x = x1x2 . . . xd mod n and p 2 2 2 The advantage of the method is that we save time for B-smooth numbers. stop y = (x1 − n)(x2 − n) ... (xd − n) mod n. by performing a subtraction instead of a division. n a = gcd(x ± y, n) Choosing B 7. The non-trivial factors of are . Choosing B implies a tradeoff: a small B facilitates Large Prime Variations checking if a number is B-smooth, but makes it un- Plots of B-smooth numbers In practice, it often occurs that congruences are al- likely to find any. A large B increases the chance most B-smooth except having one larger prime fac- of finding B-smooth numbers but at the same time tor, and therefore can’t be used in the sieve. These factorising each number becomes harder. Heuristic numbers are stored in hope of being matched with analysis showed that the best√ choice for the smooth- another number having the same large prime factor, ( 1 lnn lnlnn) ness bound B is about e 2 . thus completing the square. The probability of numbers in the list having the Legendre Symbol same pair of large primes is analogous to the birth- day paradox. It says that in a of 23 people, The Legendre Symbol is computed using Euler’s cri- at least two of them have the same birthday with terion: n probability of more than 50%. ≡ n(p−1)/2 (mod p) p If the Legendre Symbol for a prime is 1 then in- References clude this prime in the factor base. Since primes giv- Parameters: [1] Richard Crandall and Carl Pomerance A Computational Per- ing −1 do not appear in the factorisations, discard spective. Springer, 2005. n = 4108131370631997507088207501257298124693 them. About 50% of the primes satisfy the condi- [2] Stephani Lee Garrett On the Quadratic Sieve. 2008. B = 25458. tion: checking for less prime factors makes the siev- [3] Carl Pomerance Smooth numbers and the quadratic sieve. Used Legendre for factor base but not large prime variation and the sieve method was logs with cutoff 20. 2008. ing step faster. [4] Carl Pomerance A tale of two sieves. 1996.